[Zope] Controlling HTTP_REFERER

Shane Hathaway shane@digicool.com
Fri, 26 May 2000 10:19:47 -0400


John Hile wrote:
> > You might try creating a frameset.  Make a very small frame at the top
> > of the window that permits the user to return to your site and take up
> > the rest of the window with the other site.
> 
> Thanks for the suggestion, but it isn't the back button I'm concerned about.
> I'm concerned about not passing sensitive information encoded in the URI to
> an outside site via the HTTP_REFERER header that the browser creates. Our
> site normally uses SSL to protect the information, but if we include any
> links to outside pages and the user clicks one of those links, the browswer
> will include the complete URI of the referring page in the HTTP_REFERER
> header when it requests the outside page. MSIE doesn't create a problem
> because it doesn't include the HTTP_REFERER header when you click on a
> non-SSL link from within an SSL page, but the Netscape browser does.

HTTP_REFERER should change to the URL of the frameset document, John. 
Just make sure the frameset document is in a non-protected URL.  I was
helping you kill two birds with one stone.

Shane